|Publication number||US9811667 B2|
|Application number||US 13/239,271|
|Publication date||Nov 7, 2017|
|Filing date||Sep 21, 2011|
|Priority date||Sep 21, 2011|
|Also published as||US9251351, US20130247206, US20130247207|
|Publication number||13239271, 239271, US 9811667 B2, US 9811667B2, US-B2-9811667, US9811667 B2, US9811667B2|
|Inventors||James M. Hugard, IV, Alexander Lawrence Leroux, Charles Mallabarapu, Jorge Armando Muniz, Braden C. Russell, Zengjue Wu|
|Original Assignee||Mcafee, Inc.|
|Export Citation||BiBTeX, EndNote, RefMan|
|Patent Citations (66), Non-Patent Citations (16), Classifications (8), Legal Events (2)|
|External Links: USPTO, USPTO Assignment, Espacenet|
This disclosure relates in general to the field of computer networks and, more particularly, to a system and a method for grouping computer vulnerabilities.
The field of computer network administration and support has become increasingly important and complicated in today's society. Computer network environments are configured for virtually every enterprise or organization, typically with multiple interconnected computers (e.g., end user computers, laptops, servers, printing devices, etc.). In many such enterprises, Information Technology (IT) administrators may be tasked with maintenance and control of the network environment, including executable software files on hosts, servers, and other network computers. As the number of executable software files in a network environment increases, the ability to control, maintain, and remediate these files efficiently can become more difficult. Generally, greater diversity of software implemented in various computers of a network translates into greater difficulty in managing such software. For example, in large enterprises, executable software inventories may vary greatly among end user computers across departmental groups, requiring time and effort by IT administrators to identify and manage executable software in such a diverse environment. In addition, IT administrators and other users may want to use efficient computer scanning methods to identify and remove vulnerabilities quickly and effectively. When networks have hundreds to millions of nodes, scanning all the nodes for many possible vulnerabilities presents challenges to IT administrators. In many cases, IT administrators may have to run approximately 30,000 vulnerability checks covering thousands of applications and operating systems, and perform dozens to hundreds of new checks in any given week. Thus, innovative tools are needed to assist IT administrators in the effective control and management of executable software files and computer scan methods on computers within computer network environments.
To provide a more complete understanding of the present disclosure and features and advantages thereof, reference is made to the following description, taken in conjunction with the accompanying figures, wherein like reference numerals represent like parts, in which:
A method in one embodiment includes modules for creating a vulnerability set including one or more vulnerabilities, adding the vulnerability set to a program, and updating the program by adding a new vulnerability to the vulnerability set. More specific embodiments include a program that includes a scan, creating the vulnerability set by generating a query including one or more conditions associated with the vulnerabilities, and creating the vulnerability set by selecting one or more vulnerabilities from a plurality of vulnerabilities. Other embodiments include a program that includes a report template, adding a vulnerability set to the report template by generating a query to include a condition associated with the vulnerability set, running a scan, and generating a report including one or more results from the scan meeting the condition associated with the vulnerability set and other features.
Vulnerability manager 20 comprises a user selection module 22 suitably connected to a vulnerability set module 24 comprising one or more vulnerability sets 26 (including one or more vulnerability sets 26A and 26B), an asset tag module 28 comprising one or more asset tags 30 (including one or more asset tags 30A and 30B), and a report module 32. A graphical user interface (GUI) 34, one or more processors 36 and one or more memory elements 38 can be accessed by user selection module 22. User selection module 22 communicates with tree module 40, rule module 42 and scan module 44.
Vulnerability sets 26 may be pre-configured groupings of vulnerability content that can be used during scanning and/or during reporting. As used herein, a scan is a program that checks for vulnerabilities in a network. When a scan is run, the program identifies vulnerabilities in various assets in a network. Vulnerability sets 26 can be used in scans to decide which vulnerabilities should be checked on scan targets (i.e., assets). For example, a selected vulnerability set, such as vulnerability set 26A or 26B, may contain certain vulnerabilities in Microsoft® Windows Server Service including: (1) a vulnerability that may allow for remote code execution; (2) a vulnerability that may allow for arbitrary code execution; and (3) a vulnerability that may allow for a denial of service attack. Scan module 44 may be used to generate a scan that includes checks for vulnerabilities included in the selected vulnerability set in various assets 18A-E. Vulnerability sets 26 can also be used in asset reports to decide which assets and vulnerabilities to include in the reports. As used herein, a report is a collection of identified vulnerabilities in a network. Vulnerability manager 20 may provide for creating report templates. As used herein, a report template is a program that searches for selected vulnerabilities in a result of a scan. When a report template is run, a corresponding report comprising a collection of the selected vulnerabilities is generated. Report module 32 may be configured to generate asset reports for assets corresponding to selected vulnerability sets 26 and asset tags 30.
The network environment illustrated in
Vulnerability manager 20 can discover and scan assets 18 on network 12, including dynamic/portable assets (e.g., mobile devices, laptops, notepads, smart-phones, etc.) and static assets (e.g., desktops, printers, etc.). Vulnerability manager 20 can also scan assets located in air-gapped and critical infrastructure environments. An air gap is a security measure for extraordinarily secure computers and computer networks, generally consisting of isolating the secure network physically, electrically, and electromagnetically from insecure networks, such as the public Internet or an insecure local area network. For example, air gapped secure networks are often not allowed an external connection. Any suitable device (e.g., a laptop or virtual scanner) configured with vulnerability manager 20 can be used to discover and scan these assets. The results can remain in the restricted environment or rolled up to report data to a centralized system. For dynamic or portable assets, vulnerability manager 20 can define scan groups while reducing repeated scans. Each scan can be targeted with combinations of asset tags 30, for example, Internet Protocol (IP) address ranges, organizations, system types, etc.
Vulnerability manager 20 can scan, and quickly find vulnerabilities in a plurality of assets 18 on network 12. In an example embodiment, vulnerability manager 20 may provide for a ticketing system to track and verify manual remediation. The breadth and depth of vulnerability scanning of vulnerability manager 20 can permit users 16 to pinpoint vulnerabilities in network 12 with a high level of precision. Vulnerability manager 20 can automatically discover, assess, and report selected vulnerabilities in selected assets in network 12. Vulnerability manager 20 can permit users 16 to monitor progress of the one or more scan engines 14, remotely or locally connected to a scanner, and manage the scanning and reporting process from a single console for a consolidated view of the vulnerability status of network 12. Users 16 can construct separate scan environments using scan module 44 and aggregate select data from the scan results after the fact using report module 32.
For purposes of illustrating the techniques of vulnerability scan system 10, it is important to understand the activities and security concerns that may be present in a given network such as the network shown in
Typical network environments, both in organizations (e.g., businesses, schools, government organizations, etc.) and in homes, include a plurality of computers such as end user desktops, laptops, servers, network appliances, and the like, with each computer having an installed set of executable software. In large organizations, network environments may include hundreds or thousands of computers, which can span different buildings, cities, and/or geographical areas around the world. IT administrators are often tasked with the extraordinary responsibility of maintaining these computers and their software in a way that minimizes or eliminates disruption to the organization's activities.
One difficulty IT administrators face when managing a network environment is ensuring that their organization's network security complies with regulatory and industry standards in risk compliance. Companies are under considerable pressure to protect customer information, customer privacy, and sensitive business information against threats from cyber criminals, competitors, and network hackers. For example, business partners may demand increasingly tight compliance in implementing and enforcing IT policies, processes, and controls around key assets and sensitive information. Effective risk management may entail accurate and comprehensive visibility into a company's assets and business processes. Such visibility may include detailed information on assets (e.g., operating system information, network services, applications, etc.) and vulnerabilities (e.g., operating system or application exploitable flaws) in the network. A comprehensive risk management lifecycle generally encompasses: (1) asset discovery; (2) vulnerability detection; (3) risk assessment; (4) remediation; (5) verification; and (6) audit/report.
Currently available risk management software programs can provide a list of assets on corporate networks, and the operating systems, services, and applications running on them. Vulnerability detection mechanisms in such software programs use scanning tools to discover network-based flaws, application vulnerabilities, database issues and configuration errors. Business risk can be established by weighing the severity of the vulnerability, the likelihood of it being exploited, the criticality of the asset and the business impact if the vulnerability is exploited, and the resources for mitigation and remediation. Remediation may be applied within the company's change control process, leveraging ticketing systems or whatever change mechanisms are in place. Verification (e.g., rescanning or other technical validation to verify the remediation's success) is usually performed and an audit/report is generated to document evidence that the vulnerability was discovered, assessed and remediated.
Scans according to such currently available risk management software programs cannot be chosen by severity, Common Vulnerabilities and Exposures (CVE) Number, or Microsoft (MS) Number to be auto-updated. Instead, a set of vulnerability checks are generally chosen during configuration. Unless an entire (vast) category of vulnerabilities are chosen to be checked during configuration, new/updated vulnerabilities or vulnerability checks cannot be included in future scans. Such risk management software programs do not have the capability to scan/report on selected vulnerabilities (e.g., vulnerabilities applicable to applications like Microsoft Word or Internet Explorer), and have those reports delivered to specific people in the organization. Such risk management software programs do not provide a method to choose content at scan or at report time from a rule-based system that can automatically review newer content and properly add/remove content. They also do not provide a capability to scan once, and, generate any desired report; instead, scans are generally targeted to obtain certain information, and any additional information may involve additional scans.
Moreover, such risk management software programs are typically manually operated, with IT administrators manually choosing scans to run based on available templates. For example, several industry standard scan templates are available to test for vulnerabilities applicable to specific regulations and standards (e.g., Health Insurance Portability and Accountability Act (HIPAA), Australian Information Security Manual (formerly known as ASCI 33), BASEL II, Bill 198 also known as Canadian Sarbanes-Oxley (CSOX), CoBIT (industry standards on IT governance), Federal Desktop Core Configuration (FDCC), International Standards Organization (ISO) 17799/ISO 27002/etc.). Moreover, some scan tests on some templates may overlap with scan tests on another template, leading to task duplication when both templates are selected to be scanned.
When a scan test is updated, for example, by adding a newly discovered vulnerability, the scan configuration including the template is not automatically updated. Thus, if the template is updated, the user would have to create a new scan based on the updated template in order to scan for the updated checks. IT administrators may manually add the updated scan test to the scan or add a new template with the updated scan test. When IT administrators have to manage hundreds and thousands of scan tests, manually updating the scan to add new tests is cumbersome and inefficient.
Moreover, for a proper security enforcement mechanism, an inventory of all assets in an enterprise is useful, and in many cases, necessary. However, maintaining an asset database of all assets may be challenging, in part because the asset list may be maintained in multiple records or lists. Tagging assets with relevant informational tags may aid IT administrators in identifying assets quickly. However, asset characteristics may change over time; for example, an asset that was loaded with Windows XP operating system may be upgraded to Windows 7 operating system. If the asset is tagged based on its previous operating system, the upgrade will not be captured in its asset tag unless a new tag is created. Therefore, there is a need to dynamically tag assets based on its characteristics.
A vulnerability scan system outlined by
Note that in this Specification, references to various features (e.g., elements, structures, modules, components, steps, operations, characteristics, etc.) included in “one embodiment”, “example embodiment”, “an embodiment”, “another embodiment”, “some embodiments”, “various embodiments”, “other embodiments”, “alternative embodiment”, and the like are intended to mean that any such features are included in one or more embodiments of the present disclosure, but may or may not necessarily be combined in the same embodiments.
Turning to the infrastructure of
Using processor 36, memory element 38, and appropriately configured GUI 34, vulnerability manager 20 can permit users 16 to create vulnerability sets 26 in vulnerability set module 24. In an example embodiment, organization and workgroup administrators of an organization can create vulnerability sets 26. Vulnerability sets 26 can be tree-based vulnerability set 26A or rule-based vulnerability set 26B. In an example embodiment, GUI 34 may be configured to permit user 16 to select an option from a drop down menu that displays a choice between a rule based set and a tree based set. When user 16 selects the tree based set, user selection module 22 may call tree module 40 to create tree based vulnerability set 26A.
Tree module 40 can configure tree-based vulnerability set 26A outside of a scan configuration and allow multiple scan configurations to utilize the same selection of vulnerabilities. Tree module 40 can also allow user 16 to update the vulnerability selection in the tree without stopping, modifying, and re-scheduling an existing scan. For example, modifications can be made outside the scan configuration (e.g., in vulnerability set 26A) and at the next run time, the updated vulnerability set can be used. Thus, a scan may be updated by adding a new vulnerability to the plurality of vulnerabilities, and modifying the previously saved vulnerability set by selecting/adding the new vulnerability. In an example embodiment, tree based vulnerability set 26A may use a hierarchical tree where individual scans are organized, for example, by module and category. Each category can be set to update automatically when new vulnerabilities are added to that category.
Rule module 42 may configure rule-based vulnerability set 26B from a “query” like set of rules that can be used to determine which vulnerability checks are in the scan or report. As used herein, the term “query” includes a request for information retrieval comprising a logical expression of conditions. Rule based vulnerability set 26B may be created by generating a query including a nested condition expression associated with one or more vulnerabilities (e.g., defines vulnerabilities to be selected) in a plurality of vulnerabilities and by running the query during a scan. When the query runs, all vulnerabilities meeting the nested condition expression are added to rule-based vulnerability set 26B. Thus, each time a scan is run, the nested condition expression is evaluated to determine which vulnerability checks should be run in the scan. This method can ensure that scans are always up-to-date.
Rule based vulnerability set 26B allows user 16 to keep scans up-to-date without manually changing vulnerability sets or any scans. For example, if user 16 wants to include all vulnerabilities with a particular Microsoft Security Bulletin number (MS-Number) in a scan, a rule for that MS-Number may be created (e.g., in the form of a query) and all vulnerabilities with that MS-Number can be included in the scan, regardless of when those vulnerabilities were added (e.g., rule may be created before a new vulnerability with that MS-Number is added to a list of known vulnerabilities).
GUI 34 may be suitably configured to allow user 16 to create the nested condition expressions, for example, using AND/OR logic. AND logic searches for any vulnerability containing all of the conditions specified in the nested group. OR logic searches for any vulnerability containing any of the conditions specified in the nested group. In an example embodiment, the nested condition expression using AND/OR may allow the following operators: EQ—Equals; NE—Not Equals; GT—Greater Than; LT—Less Than; GE—Greater Than or Equal; LE—Less Than or Equal; Contains; and Does not Contain. Example conditions include vulnerability category, CVE Number, Common Weakness Enumeration (CWE), intrusive check, module (e.g., General Vulnerability, Windows Host, Wireless, Shell, or Web), MS Number, risk, specific vulnerability, vulnerability name, vulnerability severity, etc. In an example embodiment, when vulnerability set 26B is saved, vulnerability manager 20 may convert the query into a Structured Query Language (SQL) statement. The SQL statement may be saved and used to get the selected vulnerabilities when user 16 previews vulnerability set 26B, or runs a scan using rule based vulnerability set 26B. The rules may be saved as an XML document and presented to the user in GUI 34 when user 16 calls user selection module 22. In one embodiment, SQL statements and/or XML documents may be stored in a database with vulnerability sets 26.
In an example embodiment, a query may be as formed as shown in
This rule based method can provide at least two advantages: 1) it allows content selection to be based in “real world terms,” for example, report on all high and medium risk vulnerabilities where the vulnerability name contains product or enterprise names such as “Internet Explorer,” or “Acrobat,” or “Flash,” or “QuickTime,” etc.; and 2) rule based vulnerability set 26B may be assessed at every scan or report run so any new/updated vulnerability content can automatically be included. To update a scan to add a new vulnerability, the query may simply be re-run to include the new vulnerability in the scan.
In an example embodiment, content in vulnerability set 26B can be auto-updated using rule module 42. For example, user 16 may build scans that can seek multiple types of vulnerabilities, such as “scan for all high and medium risk vulnerabilities” AND “have the scan update the content every time the scan or report is run so that the latest high and medium risk vulnerabilities are included.” To create such scans with rule-based vulnerability set 26B including the above specifications, user 16 can run a vulnerability set wizard in vulnerability set module 24 using appropriately configured GUI 34. In an example embodiment, GUI 34 may be configured to run a software wizard when user 16 clicks on a “Create New” button. A new rule-based vulnerability set 26B may be created under a suitable name, for example, user 16 may type a name such as “Latest High and Medium Risk Vulnerabilities.” User 16 may then select the rule based option rather than the tree based option from the drop down menu in order to create a list of checks for vulnerability set 26B.
In an example embodiment, a default rule that the vulnerability is non-intrusive may be pre-set according to rule module 42. User 16 can add custom rules to rule module 42. In the example embodiment, user 16 may add rules with a desired logic, for example, “High or Medium” vulnerability. In an example embodiment, GUI 34 may be configured to permit user 16 to add a condition and choose from a pull down menu showing vulnerability severity. Alternatively, GUI 34 may be configured to permit user 16 to type in the desired vulnerability severity. When user 16 selects the condition “contains” and chooses “High” and “Medium” severity, a new rule that can return a set of vulnerability content based on “non-intrusive AND high OR medium severity vulnerabilities” can be created. Scans and reports that are based on this vulnerability set 26B (i.e., vulnerability set with the name “Latest High and Medium Risk Vulnerabilities”) may evaluate the corresponding rule prior to running the scan or report. Thus, user 16 can get the latest set of content that matches the rule.
According to another example embodiment, rule module 42 may contain features that allow users 16 to easily build complex expressions for inclusion and exclusion of vulnerabilities for scanning and reporting. For example, users 16 may scan or report on vulnerabilities that apply to, for example, Microsoft Word, Mozilla Firefox, Safari or some other details. To build a rule-based vulnerability set with a more complex expression, a new vulnerability set with a suitable name (e.g., “Application Vulnerabilities”) may be created according to a custom rule, for example, designed by an expression that may scan or report on vulnerabilities in desktop applications that are of interest. In an example embodiment, user 16 may add an addition to the existing default rule (e.g., “intrusive equals no”). The added condition may be a nested group with a logic of: “vulnerabilities in application 1” OR “vulnerabilities in application 2” etc.
GUI 34 may be configured to permit users 16 to rename static asset tag 30A. When static asset tag 30A is renamed, relevant assets using that tag can be updated automatically, including scan configurations, asset report templates, and any asset tags that reference the updated asset tag. In an example embodiment, GUI 34 may be configured to select an asset tag to rename. GUI 34 may also be configured to delete asset tags. When static asset tag 30A is deleted, the asset tag may be removed from relevant assets using that tag. In an example embodiment, in an asset report or a dynamic asset tag referencing static asset tag 30A, deleted tags appear as “<Deleted Asset Tag>”. In scan configurations, the deleted asset tag may be removed entirely from the scan target page.
Multiple tags 30 can be applied to one or more assets to narrow a search for specific assets. For example, using multiple asset tags 30, administrators can tag all Windows assets that belong to the finance department located in North America. Users 16 can search or browse for assets 18 in a scan configuration, generate an asset report using report module 32, and manage assets 18 based on asset tags 30. In an example embodiment, GUI 34 may be configured to present user 16 with a search and select tool of assets that allows selecting multiple assets at a time. GUI 34 can be configured to apply the newly created tag to selected assets or all assets across all search result pages.
Asset tag module 28 may also permit creating dynamic asset tag 30B. Dynamic asset tags 30B may be applied automatically or manually. Dynamic asset tags 30B can be used in scan configurations, asset report templates, referenced in another dynamic asset tag, or searching for assets. Dynamic asset tags 30B may also be generated using a query based on asset filters, using various criteria. For example, assets 18 can be filtered by operating system, asset criticality (e.g., how important the asset is to the company), and severity of a vulnerability found on the asset. In an example embodiment, running the query applies dynamic asset tag 30B to assets 18 that meet the filter criteria. In another example embodiment, users 16 can filter for all assets with a particular operating system and with a high criticality level that have one or more severe vulnerabilities.
In an example embodiment as shown in
Users 16 may add asset filters to a query. Queries containing asset filters may also be referred herein as “asset filter expressions.” When the query runs, the name of dynamic asset tag 30B is applied to any asset that meets the conditions of the asset filters. Asset tag options (e.g., commands such as ADD, DELETE, EDIT etc.) may be used to generate the query using asset filters. The following table lists some dynamic asset tag options that may be used in generating a query:
Add a condition at the current level in the hierarchy
Create a new condition on a new child-level in the
hierarchy. Nested conditions share the same operator.
Toggle between “AND” and “OR.” It affects all conditions
within the same hierarchical level.
AND: search for any record containing all of the conditions
specified in the nested group.
OR: search for any record containing any of the conditions
specified in the nested group.
Remove a condition from the criteria list.
Remove the conditions contained within a group.
The asset tag is updated every time it is used in a scan
configuration, asset report template, or asset search.
Generate a summarized expression of the conditions entered
in the filter. Each condition is represented by a number in
the expression. For example, the following expression
shows a filter with six conditions: 1 and (2 and (3 or 4) and
5) and 6.
The name of the dynamic asset tag.
In an example embodiment, GUI 34 may be configured to deselect automatic tagging to permit running a query for dynamic asset tag 30B manually. GUI 34 may be configured to add conditions or nested conditions to create an appropriate query. For example, GUI 34 may be appropriately configured to select a condition and applicable criteria (e.g., criterion “high” for condition “vulnerability severity”) from a drop-down list. The following table lists some conditions and their descriptions for generating dynamic asset tags 30B:
Filter assets by criticality level: None, Low, Limited, Moderate,
Significant, or Extensive. Select to include or exclude the designated
levels. Select multiple levels of criticality to include in a report.
Asset Group Name
Filter assets by the group name of a given asset. Select to include or
exclude the group name from the report. Enter partial information
and select whether the selection starts or ends with the partial
Filter assets by the label of a given asset.
Filter assets by an owner's name. GUI 34 may be configured to have
a setting to either include or exclude any assets associated with the
owner for the report.
Filter assets by the status of an asset. In an example embodiment,
an asset can be “Active,” “Inactive,” or “Undiscovered.”
Undiscovered may mean the asset was added manually but has not
been discovered by a scan.
Asset Tag Set
Filter assets by an asset tag.
Filter assets based on the success or failure of WHAM or Secure Shell
(SSH) authenticated access.
Filter assets by banner information.
Filter assets by CVE number to filter by a specific vulnerability.
Filter assets by those that have at least one false positive associated
with it, or have no false positives associated with it.
Host DNS Name
Include or exclude any assets with a specific Host domain name
system (DNS) name.
Host NetBIOS Name
Set the filter to include or exclude any assets with a specific Host
Filter the asset by a IAVA (Information Assurance Vulnerability Alert)
number for the filter.
Filter the asset by IP Address(es) or IP Address Range.
Filter the asset by Microsoft KnowledgeBase ID Number(s).
KnowledgeBase Numbers describe artifacts related to Microsoft
products, including technical support.
Filter assets based upon the open ports on a system.
Determine which operating systems to include or exclude from the
Identifies all assets with at least one TCP or UDP port open (based on
Identifies all scan configurations that map to the scan name, then
extracts all IP ranges allowed for that scan configurations, and then
finds assets within the allowed IP ranges.
Filter the asset by a vulnerability name.
Filter the asset by vulnerability severity level(s).
Filter assets based on vulnerabilities found on the asset that are part
of a vulnerability set.
When dynamic asset tag 30B is set to enable automatic tagging, asset tag 30B may be updated every time it is used in a scan configuration, asset report template, or asset search. In certain situations (e.g., dynamic asset tag 30B is applied to more than 20,000 assets or asset filter conditions are complicated, as in returning all vulnerabilities, etc.), users 16 can deselect automatic tagging and update dynamic asset tag 30B manually as desired. In an example embodiment, asset tag module 28 may have a default setting where it will not run again if less than a pre-defined amount of time (e.g., 10 minutes) has elapsed since the tag was last run. For example, this may reduce the possibility of having multiple users trying to update the same query within a short period of time. In an example embodiment, if a query is to be updated within the 10 minutes, organization administrators can manually apply asset tag 30B to selected assets 18.
In another example embodiment, updating dynamic asset tag 30B is affected if it is referenced by another dynamic asset tag, and if the dynamic asset tags are set to update automatically or manually. For illustrative purposes only and not as a limitation, assume that Tag A is set to Auto (i.e., auto-update) and references Tag B and Tag C. Tag B is set to Manual (i.e., manual update) and references Tag D. Tag D is set to Auto. Tag C is set to Auto and references Tag E, Tag F, and Tag G. Tags E and G are set to Auto. Tag F is set to Manual. The tags may be viewed as a hierarchy as shown in the table:
Tag A (a)
Tag B (m)
Tag D (a)
Tag C (a)
Tag E (a)
Tag F (m)
Tag G (a)
When Tag A is updated, Tags C, E, and G are updated. Because Tag B is set to Manual, both Tag B and Tag D are not updated. Tag F is set to Manual and is not updated. When Tag B is manually updated, Tag D is updated automatically. When Tag C is updated, Tags E and G are updated automatically. Tag F must be updated manually. In the example embodiment, updating is performed from the bottom up, so updating Tag A updates Tags E and G, then Tag C, and finally Tag A. In the example embodiment, since Tags E and G are on the same level, there is no priority in updating Tags E and G.
When dynamic asset tag 30B is set to automatically update, the query associated with dynamic asset tag 30B may run every time the tag is used. For a large number of assets 18, updating dynamic asset tag 30B may take a long time. This can lengthen the time for a scan or asset report to finish running. For a large number of assets 18, users 16 may manually update dynamic asset tag 30B before running a scan configuration or asset report that contains this asset tag. Every time dynamic asset tag 30B is updated, asset tag 30B looks for changes since the last time asset tag 30B was updated.
When user 16 edits dynamic asset tags 30B, the asset tag is updated the next time it is applied or used. In an example embodiment, GUI 34 may be configured to permit user 16 to change the name of dynamic asset tag 30B (and the change is applied where the tag is used), and add or remove asset filters. In another example embodiment, GUI 34 may be configured to permit user 16 to delete dynamic asset tags 30B. When dynamic asset tag 30B is deleted, the asset tag is removed from all assets using that tag. In an asset report or a dynamic asset tag referencing the asset tag, deleted tags appear as <Deleted Asset Tag>. In scan configurations, deleted asset tag 30B is removed from the scan target page. An example embodiment may also permit users 16 to duplicate a dynamic asset tag. Duplication allows users 16 to start with an existing set of conditions and modify it to create a new one.
In a scan configuration, users 16 can browse for assets 18 based on one or more asset tags 30. In an example embodiment, GUI 34 may be configured to present a folder tree comprising a plurality of asset tags when user 16 browses by asset tag 30. In a scan configuration, users 16 can search for assets 18 based on a search type, like asset tag set, IP address, or operating system. Users 16 can search for assets 18 using asset tags 30, then assign other properties to those assets (e.g., criticality level or owner). Static asset tags are applied before the tags can be used in an asset search. In an asset report template, administrators can add one or more conditions to the asset filter and generate an asset filter expression to include or exclude assets based on one or more asset tags 30.
According to embodiments of the present disclosure, users 16 can generate a scan configuration with selected vulnerabilities on selected assets. User selection module 22 may call scan module 44 to generate the scan configuration. In an example embodiment, GUI 34 may be appropriately configured to permit user 16 to choose vulnerability sets 26 to be included in the scan. Scan engine 14 may call scan module 44 and run the scan on assets 18 for the selected vulnerabilities in vulnerability set 26.
According to an example embodiment of the present disclosure, by utilizing vulnerability set module 24 and asset tag module 28 of vulnerability manager 20, users 16 may significantly improve how they scan and report vulnerabilities. The old method of vulnerability scanning, essentially a model of “scan to produce a report,” is resource intensive, as each asset is scanned multiple times if multiple reports are desired. According to embodiments of the present disclosure, scanning may be used to fill a repository (e.g., a database) with unique vulnerabilities on a specific asset 18. User 16 may simply scan every asset 18 for vulnerabilities (e.g., using substantially all non-intrusive checks) in system 10. A vulnerability repository may thus be continually filled with up-to-date vulnerability data whenever scans are run.
Utilizing vulnerability set module 24 in vulnerability manager 20 may allow user 16 flexibility in their reporting, for example, to build and deliver reports with selected data to a selected audience. In an example embodiment, report module 32 may build reports based on vulnerability set 26 and appropriate asset tag 30 using an appropriately configured GUI 34. For example, GUI 34 may be configured with a link to generate a report, for example, from a new custom report template. In an example embodiment, GUI 34 may be configured to give the report template a name like “High and Medium Risk Application Vulnerabilities.”
Creating a vulnerability report may be analogous to a SQL query; however, the vulnerability report creation may not involve knowledge (or even access) to any database. User 16 may add vulnerability set 26 to a report template by generating a query including one or more conditions associated with vulnerability set 26. After running the scan, user 16 may generate a report from the report template, and the report may comprise one or more results from the scan meeting the conditions associated with vulnerability set 26 that are specified in the query of the report template. Users 16 may choose assets 18 to include in the report based on asset tags 30. GUI 34 may be configured to add a new condition, for example, one or more vulnerability sets (e.g., named “Windows Vulnerabilities” including vulnerabilities associated with Windows operating system). When report module 32 is run, the generated report may contain information pertaining to assets associated with the selected vulnerability sets (e.g., “Windows Vulnerabilities” and “High and Medium Risk Application Vulnerabilities”). The report template may be automatically updated when vulnerability set 26 is updated with a new vulnerability, such that when the updated report template is run, the corresponding report that is generated may include the new vulnerability.
Report module 32 may be configured to generate a report immediately, or schedule the report for later delivery to selected persons. When rule-based vulnerability sets 26B are used in the report template creation, the vulnerability set rules may be evaluated every time the report is scheduled to run; thus giving users 16 the latest set of vulnerability information that matches criteria in the selected vulnerability set. Such a “scan once, report many . . . ” model may allow more efficient vulnerability scanning (e.g., impacting assets when the data is refreshed) and more powerful reporting by customizing the output. To generate another report with a completely different set of criteria, re-scanning network 12 may not be called for; instead, a new report template with new criteria (e.g., conditions) may be generated and run on the previously scanned information.
Vulnerability manager 20 may be implemented on a physical or virtualized hardware connected to network 12, or may be implemented on specialized devices configured to scan networks. Not shown in vulnerability scan system 10 of
After the new vulnerability set is created in step 56, scan module 44 may check whether a scan exists in step 66. If a scan exists, the existing scan may be selected in step 70. Otherwise a new scan may be created in step 68. In step 72, the new vulnerability set 26A or 26B may be added to the scan. In step 74, the scan may be scheduled to run immediately or at some later time. When the scan is launched, scan engine 14 may run the scan and determine the existence of vulnerabilities in assets 18 in network 12. For a tree based vulnerability set, the scan may test for each of the vulnerabilities included in the tree based vulnerability set. For a rule based vulnerability set, the query is run to determine which vulnerabilities should be checked during the scan. Once the query is completed, the scan may test for each of the vulnerabilities identified by the query.
In step 76, user 16 can create an asset report using report module 32. An asset report template may be created in step 78, and appropriate assets chosen for reporting in step 80 using appropriate asset tags 30. Vulnerability sets may be used in asset tags 30 to create a logical expression that selects assets. For example, asset tag 30B may include a rule that the asset status is active and that a vulnerability of the asset is contained in a particular vulnerability set. Accordingly, assets meeting these criteria may be tagged with asset tag 30B (or the asset may be included within asset tag 30B). In step 80, assets may be chosen for reporting purposes based on asset tags 30, and/or any vulnerabilities they have and vulnerabilities from those assets may be reported even if such vulnerabilities are not within the particular vulnerability set associated with asset tag 30A or a particular vulnerability set of the asset report. Alternatively (or additionally), a particular vulnerability set 26 may be chosen in step 82 to choose the vulnerabilities to be included in the asset report. When report module 32 runs, the asset report is populated with selected vulnerability information on the selected assets. The process terminates in step 84. In other embodiments, asset tag 30 may be created prior to, concurrently with, or subsequent to, creating vulnerability set 26. Asset tag 30 may also be previously stored and accessed in step 78.
If user 16 decides to create dynamic asset tag 30B, user selection module 22 may call rule module 42. GUI 34 may be appropriately configured to permit user 16 to name dynamic asset tag 30B in step 120. In step 122, a condition (e.g., with appropriate filters for asset criticality, asset owner, asset group name, asset status, banner selection, etc.) may be added to a query. One or more vulnerability sets may also be included in an asset tag. Furthermore, tags may be referenced within tags (e.g., include all ABC systems OR all systems that have been manually tagged (static tags) with XYZ systems). In step 124, rule module 42 may allow user 16 to determine if all appropriate conditions have been included in the query. If not over, nested groups of conditions may be created in step 126 by looping back to step 122 to add conditions. When conditions for the query are over (e.g., all appropriate conditions have been included) as determined in step 124 the tags may applied to appropriate assets when saved. In one embodiment, tags may be applied automatically. For example, as new assets are added to the asset database, tags may be automatically applied when a scan is launched. The asset database can be searched for assets that match the dynamic tag query, tags can be applied to the matching assets, and the matching assets can be included in the scan. In addition, multiple tags, including static tags, may be applied to an asset.
Asset tag 30B may be added to an asset report template in step 128. Similarly, user 16 may add static asset tag 30A created in step 118 to the asset report template in step 128. In step 130, vulnerability set 26 may be optionally added to the asset report template to capture assets associated with selected vulnerabilities in vulnerability set 26. In step 132, an asset report may be created based on the asset report template. The asset report may have scan results for assets associated with asset tags 30A, 30B and/or vulnerability set 26. The process terminates in step 134.
The options for grouping computer vulnerabilities, as shown in the FIGURES herein, are for example purposes only. It will be appreciated that numerous other options, at least some of which are detailed herein in this Specification, may be provided in any combination with or exclusive of the options of the various FIGURES. Software for achieving the grouping computer vulnerabilities related operations outlined herein can be provided at various locations (e.g., the corporate IT headquarters, end user computers, distributed servers in the cloud, etc.). In some embodiments, this software could be received or downloaded from a web server (e.g., in the context of purchasing individual end-user licenses for separate networks, devices, servers, etc.) in order to provide this system for grouping computer vulnerabilities. In one example embodiment, this software is resident in one or more computers and/or web hosts sought to be protected from a security attack (or protected from unwanted or unauthorized manipulations of data).
In various embodiments, the software of system 10 for grouping computer vulnerabilities could involve a proprietary element (e.g., as part of a network security solution with McAfee® Vulnerability Manager (MVM) software, McAfee® ePolicy Orchestrator (ePO) software, etc.), which could be provided in (or be proximate to) these identified elements, or be provided in any other device, server, network appliance, console, firewall, switch, information technology (IT) device, distributed server, etc., or be provided as a complementary solution, or otherwise provisioned in the network.
In certain example embodiments, the activities related to grouping computer vulnerabilities as outlined herein may be implemented in software. This could be inclusive of software provided in vulnerability manager 20 and in other network elements (e.g., scan engine 14). These elements and/or modules can cooperate with each other in order to perform the activities related to grouping computer vulnerabilities as discussed herein. In other embodiments, these features may be provided external to these elements, included in other devices to achieve these intended functionalities, or consolidated in any appropriate manner. For example, some of the processors associated with the various elements may be removed, or otherwise consolidated such that a single processor and a single memory location are responsible for certain activities. In a general sense, the arrangement depicted in FIGURES may be more logical in its representation, whereas a physical architecture may include various permutations, combinations, and/or hybrids of these elements.
In various embodiments, some or all of these elements include software (or reciprocating software) that can coordinate, manage, or otherwise cooperate in order to achieve the grouping computer vulnerabilities related operations, as outlined herein. One or more of these elements may include any suitable algorithms, hardware, software, components, modules, interfaces, or objects that facilitate the operations thereof. In the embodiment involving software, such a configuration may be inclusive of logic encoded in one or more tangible media, which may be inclusive of non-transitory media (e.g., embedded logic provided in an application specific integrated circuit (ASIC), digital signal processor (DSP) instructions, software (potentially inclusive of object code and source code) to be executed by a processor, or other similar machine, etc.).
In some of these instances, one or more memory elements (e.g., memory 38) can store data used for the operations described herein. This includes the memory element being able to store software, logic, code, or processor instructions that are executed to carry out the activities described in this Specification. A processor can execute any type of instructions associated with the data to achieve the operations detailed herein in this Specification. In one example, processor 36 could transform an element or an article (e.g., data) from one state or thing to another state or thing. In another example, the activities outlined herein may be implemented with fixed logic or programmable logic (e.g., software/computer instructions executed by a processor) and the elements identified herein could be some type of a programmable processor, programmable digital logic (e.g., a field programmable gate array (FPGA), an erasable programmable read only memory (EPROM), an electrically erasable programmable read only memory (EEPROM)), an ASIC that includes digital logic, software, code, electronic instructions, flash memory, optical disks, CD-ROMs, DVD ROMs, magnetic or optical cards, other types of machine-readable mediums suitable for storing electronic instructions, or any suitable combination thereof.
System 10 and other associated components in system 10 can include one or more memory elements (e.g., memory 38) for storing information to be used in achieving operations associated with the application assessment as outlined herein. These devices may further keep information in any suitable type of memory element (e.g., random access memory (RAM), read only memory (ROM), field programmable gate array (FPGA), erasable programmable read only memory (EPROM), electrically erasable programmable ROM (EEPROM), etc.), software, hardware, or in any other suitable component, device, element, or object where appropriate and based on particular needs. The information being tracked, sent, received, or stored in system 10 (e.g., vulnerability sets 26, asset tags 30, discovered vulnerabilities, reports, etc) could be provided in any database, register, table, cache, queue, control list, or storage structure, based on particular needs and embodiments, all of which could be referenced in any suitable timeframe. Any of the memory items discussed herein should be construed as being encompassed within the broad term ‘memory element.’ Similarly, any of the potential processing elements, modules, and machines described in this Specification should be construed as being encompassed within the broad term ‘processor.’ Each of the computers may also include suitable interfaces for receiving, transmitting, and/or otherwise communicating data or information in a network environment.
Note that with the numerous examples provided herein, interaction may be described in terms of two, three, four, or more network elements. However, this has been done for purposes of clarity and example only. It should be appreciated that the system can be consolidated in any suitable manner. Along similar design alternatives, any of the illustrated computers, modules, components, and elements of FIGURES may be combined in various possible configurations, all of which are clearly within the broad scope of this Specification. In certain cases, it may be easier to describe one or more of the functionalities of a given set of flows by only referencing a limited number of network elements. It should be appreciated that the system of FIGURES (and corresponding teachings) is readily scalable and can accommodate a large number of components, as well as more complicated/sophisticated arrangements and configurations. Accordingly, the examples provided should not limit the scope or inhibit the broad teachings of system 10 as potentially applied to a myriad of other architectures.
It is also important to note that the operations described with reference to the preceding FIGURES illustrate only some of the possible scenarios that may be executed by, or within, the system. Some of these operations may be deleted or removed where appropriate, or these steps may be modified or changed considerably without departing from the scope of the discussed concepts. In addition, the timing of these operations may be altered considerably and still achieve the results taught in this disclosure. The preceding operational flows have been offered for purposes of example and discussion. Substantial flexibility is provided by the system in that any suitable arrangements, chronologies, configurations, and timing mechanisms may be provided without departing from the teachings of the discussed concepts.
|Cited Patent||Filing date||Publication date||Applicant||Title|
|US5987610||Feb 12, 1998||Nov 16, 1999||Ameritech Corporation||Computer virus screening methods and systems|
|US6073142||Jun 23, 1997||Jun 6, 2000||Park City Group||Automated post office based rule analysis of e-mail messages and other data objects for controlled distribution in network environments|
|US6298445 *||Apr 30, 1998||Oct 2, 2001||Netect, Ltd.||Computer security|
|US6460050||Dec 22, 1999||Oct 1, 2002||Mark Raymond Pace||Distributed content identification system|
|US6546493 *||Nov 30, 2001||Apr 8, 2003||Networks Associates Technology, Inc.||System, method and computer program product for risk assessment scanning based on detected anomalous events|
|US6804727 *||Feb 23, 2001||Oct 12, 2004||Lexmark International, Inc.||Method for communication from a host computer to a peripheral device|
|US6957348 *||Jan 10, 2001||Oct 18, 2005||Ncircle Network Security, Inc.||Interoperability of vulnerability and intrusion detection systems|
|US7213154 *||Jul 9, 2004||May 1, 2007||Cisco Technology, Inc.||Query data packet processing and network scanning method and apparatus|
|US7266842 *||Apr 18, 2002||Sep 4, 2007||International Business Machines Corporation||Control function implementing selective transparent data authentication within an integrated system|
|US7506155||May 31, 2005||Mar 17, 2009||Gatekeeper Llc||E-mail virus protection system and method|
|US7734933 *||Jun 17, 2005||Jun 8, 2010||Rockwell Collins, Inc.||System for providing secure and trusted computing environments through a secure computing module|
|US7761918||Dec 21, 2004||Jul 20, 2010||Tenable Network Security, Inc.||System and method for scanning a network|
|US7891000||Aug 5, 2005||Feb 15, 2011||Cisco Technology, Inc.||Methods and apparatus for monitoring and reporting network activity of applications on a group of host computers|
|US7984057||May 10, 2005||Jul 19, 2011||Microsoft Corporation||Query composition incorporating by reference a query definition|
|US8095984 *||Mar 2, 2006||Jan 10, 2012||Alcatel Lucent||Systems and methods of associating security vulnerabilities and assets|
|US8127059 *||Sep 5, 2006||Feb 28, 2012||Pmc-Sierra Us, Inc.||Apparatus for interconnecting hosts with storage devices|
|US8225409||Mar 23, 2006||Jul 17, 2012||Belarc, Inc.||Security control verification and monitoring subsystem for use in a computer information database system|
|US8266700 *||May 16, 2005||Sep 11, 2012||Hewlett-Packard Development Company, L. P.||Secure web application development environment|
|US8353043 *||Mar 28, 2008||Jan 8, 2013||Electronics And Telecommunications Research Institute||Web firewall and method for automatically checking web server for vulnerabilities|
|US8438643||Mar 2, 2006||May 7, 2013||Alcatel Lucent||Information system service-level security risk analysis|
|US9251351||Oct 11, 2011||Feb 2, 2016||Mcafee, Inc.||System and method for grouping computer vulnerabilities|
|US20010034847 *||Mar 27, 2001||Oct 25, 2001||Gaul,Jr. Stephen E.||Internet/network security method and system for checking security of a client from a remote facility|
|US20010039579 *||May 7, 1997||Nov 8, 2001||Milan V. Trcka||Network security and surveillance system|
|US20030212779 *||Apr 29, 2003||Nov 13, 2003||Boyter Brian A.||System and Method for Network Security Scanning|
|US20030233438 *||Oct 4, 2002||Dec 18, 2003||Robin Hutchinson||Methods and systems for managing assets|
|US20040003262 *||Jun 28, 2002||Jan 1, 2004||Paul England||Methods and systems for protecting data in USB systems|
|US20040006704 *||Jul 2, 2002||Jan 8, 2004||Dahlstrom Dale A.||System and method for determining security vulnerabilities|
|US20040073800 *||May 22, 2003||Apr 15, 2004||Paragi Shah||Adaptive intrusion detection system|
|US20040107340 *||Aug 6, 2003||Jun 3, 2004||Shuning Wann||Real time data encryption/decryption system and method for IDE/ATA data transfer|
|US20040153696 *||Dec 18, 2002||Aug 5, 2004||Ravikumar Govindaraman||Device and method that allows single data recovery circuit to support multiple USB ports|
|US20040221176 *||Apr 29, 2003||Nov 4, 2004||Cole Eric B.||Methodology, system and computer readable medium for rating computer system vulnerabilities|
|US20060021050 *||Jul 22, 2004||Jan 26, 2006||Cook Chad L||Evaluation of network security based on security syndromes|
|US20060041936 *||Aug 19, 2004||Feb 23, 2006||International Business Machines Corporation||Method and apparatus for graphical presentation of firewall security policy|
|US20060179144 *||Jan 19, 2006||Aug 10, 2006||Nec Electronics Corporation||USB hub, USB-compliant apparatus, and communication system|
|US20060282897 *||Aug 21, 2006||Dec 14, 2006||Caleb Sima||Secure web application development and execution environment|
|US20070061885 *||Mar 31, 2006||Mar 15, 2007||Hammes Peter C||System and method for managing security testing|
|US20070113285 *||Jan 8, 2007||May 17, 2007||Flowers John S||Interoperability of Vulnerability and Intrusion Detection Systems|
|US20070169199 *||Sep 11, 2006||Jul 19, 2007||Forum Systems, Inc.||Web service vulnerability metadata exchange system|
|US20070177615 *||Jan 11, 2007||Aug 2, 2007||Miliefsky Gary S||Voip security|
|US20080092237 *||Oct 26, 2006||Apr 17, 2008||Jun Yoon||System and method for network vulnerability analysis using multiple heterogeneous vulnerability scanners|
|US20080198856 *||Nov 14, 2005||Aug 21, 2008||Vogel William A||Systems and methods for modifying network map attributes|
|US20080201780 *||Feb 20, 2007||Aug 21, 2008||Microsoft Corporation||Risk-Based Vulnerability Assessment, Remediation and Network Access Protection|
|US20080209566 *||Jun 22, 2006||Aug 28, 2008||Raw Analysis Ltd.||Method and System For Network Vulnerability Assessment|
|US20080276302 *||Mar 5, 2008||Nov 6, 2008||Yoggie Security Systems Ltd.||System and Method for Providing Data and Device Security Between External and Host Devices|
|US20090049307 *||Aug 13, 2007||Feb 19, 2009||Authennex, Inc.||System and Method for Providing a Multifunction Computer Security USB Token Device|
|US20090106843 *||Nov 16, 2007||Apr 23, 2009||Pil-Yong Kang||Security risk evaluation method for effective threat management|
|US20090113202 *||Oct 30, 2007||Apr 30, 2009||Honeywell International Inc.||System and method for providing secure network communications|
|US20090144536 *||Sep 19, 2008||Jun 4, 2009||Wistron Corporation||Monitoring method and monitor apparatus|
|US20090222685 *||Feb 15, 2007||Sep 3, 2009||Fiberbyte Pty Ltd||Distributed synchronization and timing system|
|US20100031085 *||Jul 30, 2008||Feb 4, 2010||Apple Inc.||Method for reducing host device to electronic device communication errors|
|US20100088454 *||Jun 25, 2009||Apr 8, 2010||Chi-Tung Chang||Bridging device with power-saving function|
|US20100177901 *||Jan 9, 2009||Jul 15, 2010||Ibm Corporation||System and service to facilitate encryption in data storage devices|
|US20100235655 *||Jan 13, 2010||Sep 16, 2010||Tauscher Brian E||Method and apparatus for implementing a limited functionality embedded universal serial bus (USB) host controller on a fully functional downstream USB port|
|US20100281248||Jun 21, 2010||Nov 4, 2010||Lockhart Malcolm W||Assessment and analysis of software security flaws|
|US20110060858 *||Sep 4, 2009||Mar 10, 2011||Chang-Hao Chiang||Method for enhancing performance of data access between a personal computer and a usb mass storage, associated personal computer, and storage medium storing an associated usb mass storage driver|
|US20110093954||Dec 15, 2009||Apr 21, 2011||Electronics And Telecommunications Research Institute||Apparatus and method for remotely diagnosing security vulnerabilities|
|US20110119765 *||Nov 18, 2009||May 19, 2011||Flexilis, Inc.||System and method for identifying and assessing vulnerabilities on a mobile communication device|
|US20110126288 *||Nov 24, 2009||May 26, 2011||Honeywell International Inc.||Method for software vulnerability flow analysis, generation of vulnerability-covering code, and multi-generation of functionally-equivalent code|
|US20110185431 *||Jan 28, 2010||Jul 28, 2011||Tenable Network Security, Inc.||System and method for enabling remote registry service security audits|
|US20110191854 *||Mar 30, 2010||Aug 4, 2011||Anastasios Giakouminakis||Methods and systems for testing and analyzing vulnerabilities of computing systems based on exploits of the vulnerabilities|
|US20110231936 *||Aug 27, 2010||Sep 22, 2011||Aspect Security Inc.||Detection of vulnerabilities in computer systems|
|US20120151109 *||Dec 9, 2010||Jun 14, 2012||Wee Hoo Cheah||Method and apparatus to reduce serial bus transmission power|
|US20120304300 *||Apr 9, 2012||Nov 29, 2012||Lockheed Martin Corporation||Enterprise vulnerability management|
|US20130046993 *||Oct 12, 2012||Feb 21, 2013||Spyrus, Inc.||Portable Data Encryption Device with Configurable Security Functionality and Method for File Encryption|
|US20130167254 *||Dec 22, 2011||Jun 27, 2013||Joel Gyllenskog||Universal Serial Bus Shield|
|US20130254838 *||May 16, 2013||Sep 26, 2013||Ratinder Ahuja||System and method for data mining and security policy management|
|1||*||"McAfee Vulnerability Manager 7.0.2", Mar. 21, 2011, McAfee, Inc.|
|2||McAfee Vulnerability Manager 7.0.1, Last Modified: Dec. 13, 2010, retrieved and printed on Sep. 20, 2011 from website: https://kc.mcafee.com/corporate/index?page=content&id=PD22896&pmv=print (10 pages).|
|3||McAfee Vulnerability Manager 7.0.2, Last Modified: Mar. 21, 2011, retrieved and printed on Sep. 20, 2011 from website: https://kc.mcafee.com/corporate/index?page=content&id=PD23047 (32 pages).|
|4||McAfee Vulnerability Manager ePO, Extension 6.8, Installation and Product Guide for ePO 4.0, copyright 2009 McAfee, Inc., retrieved and printed on Sep. 20, 2011 from website: https://community.mcafee.com/thread/23729 (20 pages).|
|5||McAfee Vulnerability Manager ePO, Extension 6.8, Installation and Product Guide for ePO 4.5, copyright 2009 McAfee, Inc., retrieved and printed on Sep. 20, 2011 from website: https://community.mcafee.com/thread/23729 (20 pages).|
|6||McAfee Vulnerability Manager, Data Sheet, copyright 2010 McAfee, Inc., retrieved and printed on Sep. 20, 2011 from website: www.mcafee.com/in/resources/data-sheets/ds-vulnerability-manager.pdf (2 pages).|
|7||Scan Properties-General Vulnerabilities, published on Jul. 26, 2005, retrieved and printed on Sep. 21, 2011 (3 pages).|
|8||Scan Properties—General Vulnerabilities, published on Jul. 26, 2005, retrieved and printed on Sep. 21, 2011 (3 pages).|
|9||U.S. Appl. No. 13/270,946, filed Oct. 11, 2011, Inventors James M. Hugard IV, et al., entitled "System and Method for Grouping Computer Vulnerabilities".|
|10||USPTO Feb. 4, 2013 Nonfinal Office Action from U.S. Appl. No. 13/270,946, 10 pages.|
|11||USPTO Jun. 2, 2015 Final Rejection from U.S. Appl. No. 13/270,946, 19 pages.|
|12||USPTO Jun. 5, 2013 Final Office Action from U.S. Appl. No. 13/270,946, 12 pages.|
|13||USPTO Nov. 14, 2014 Nonfinal Rejection from U.S. Appl. No. 13/270,946, 31 pages.|
|14||USPTO Oct. 24, 2013 Nonfinal Rejection from U.S. Appl. No. 13/270,946, 13 pages.|
|15||USPTO Sep. 28, 2015 Notice of Allowance from U.S. Appl. No. 13/270,946, 11 pages.|
|16||What's new in McAfee Vulnerability Manager 7.0.1, copyright 2010 McAfee, Inc., created on Dec. 16, 2010, retrieved and printed on Sep. 21, 2011 from website: https://community.mcafee.com/docs/DOC-2011 (5 pages).|
|International Classification||G06F11/30, H04L29/06, G06F21/57|
|Cooperative Classification||G06F11/3051, H04L63/1433, H04L63/20, G06F21/57, G06F21/577|
|Sep 21, 2011||AS||Assignment|
Owner name: MCAFEE, INC., CALIFORNIA
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:HUGARD, JAMES M., IV;LEROUX, ALEXANDER LAWRENCE;MALLABARAPU, CHARLES;AND OTHERS;SIGNING DATES FROM 20110902 TO 20110920;REEL/FRAME:026944/0763
|Aug 24, 2017||AS||Assignment|
Owner name: MCAFEE, LLC, CALIFORNIA
Free format text: CHANGE OF NAME AND ENTITY CONVERSION;ASSIGNOR:MCAFEE, INC.;REEL/FRAME:043665/0918
Effective date: 20161220